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Agenda 


Exploits 


OurATM Payment RMS XFS 
Processor 


A Decade of Progress 


Have things improved? 


How did we get here? 


ATMs aren't normally an impulse buy. 


EE анан 


Bootíng... 
Microsoft Windows CE 6.8 CEBOOT Version V88.82.86_U1] 


(c)Copyright 2814 Nautilus Hyosung Inc. All Rights Reserved. 


| Microsoft Windows CE 6.8 [EBOOT Version 08.62.06 1/11 
| | „в Hyosung Inc. All Rights Reserved. 


БЕСТІ! 


NO SURCHARGE ҒОЯ 
BALANCE INQUIRES 


NEED CASH ? 
ATM MACHINE 


Wall mount AIM 


LERDERBORRD .EXE 
---- HSBE&L Fortune 588 ---- 
(updated every minute) 


> CLICK HERE TO REGISTER < 


Rank Name Completed 2 

4 Ë cbrow | LL = = 126 
2 % thechars шет 126 
3 x | | LEA tin 126 
4 8xklts neu | LL ES 86 
5 dgi шест 86 
6 tigger пасти 86 
7 noodles да>5 #4 86 
8 c8c8 ниет 56 
9 thumper? вебе 56 


18 haskal | LEON 56 
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How does an AIM work? 
; m card 


3. Profit 


Its a vault 


... With some holes 


Lower Security 
(Electronics) 


Higher Security 
(Cash) 


Receipt Printer 


Lower Security Card Reader 


(Electronics) 
Pinpad 


Higher Security | WE 


(Cash) ` Cash Dispenser 
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Windows Embedded CE 6.0 


A version of tne Windows CE operating 


Software эзет 


Developer Microsoft 


Source model Closed-source 
Source-available (through 


e Windows CE 6.0 


o Latest release was before Releasedto November 1, 2006 
Barnaby Jack’s talk at DEF CON 18 ee 
š ; Latest release 6.0 R3/ 
e Lacks a lot of modern protections you'd September 22, 200911 


expect from a device with thousands of Kernel type Hybrid Kerne 
dollars in cash. License Commercial software 
Preceded by Windows CE 5.0 
Succeeded by Windows Embedded 
Compact 7 
А 
Support status 
Mainstream Ended on April 9, 2013121 
Extended Ended on April 10, 2018121 
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Mini-USB 


LCD Screen 


т 


BITS 


Ne m 
Е 


HDMI 9. 


| улица 
Виа 


mi 


1910000594 


$0 Сага 


n 
in 
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Escaping WinAtm.exe 


e Ourinitial attempts to control ATM 
(leveraging the OS features) 
o Well, they failed 
e Keyboard didn't seem to work 
o Wetried at least three Rn | 


o Anda mouse 
; Type the name of a program, folder, document, or 
e why no t? |^ f Internet resource, and Windows will open it for you. 


ea Cancel | Browse... | 


Minimal Feature Set 


е... Why would an ATM need a keyboard? 
e More useful to attackers than to technicians 
o Vector for keystroke 
injection 
o USB Rubber Ducky, etc. 
e Driver isn't even built into 
the firmware! 
о KBDHID.dll 
o  MOUHID.dll 
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Suspicious Front 
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Suspicious Back 


Main board + peripherals of ATM 


Verified JTAG with ПАБшашг 


e Standard 10-рїп ARM connector 
Need to solder extra pull-up / 
pull-down resistors at the back 
e Able to connect with a debugger 


Soldered JTAG on ATM main board 


Dumping the Flash 


e The firmware is stored in aNAND Flash a iE 
e 48 Pins -- very painful to rip out from the : 
board 


e Used SuperPro to read and write to the 
flash 


- AU 


Main board with TSOP48 NAND Flash 


Eventually the board died :( 


After a few trials of 
soldering and desoldering, 
the board died 

Pin pads were ripped out and 
we cannot recover it 


Do we need to buy a new АТМ? Ко! 


1. (866) 417-2286 


[3 support@atmpartmart.com 


96, rupartMart.com Vr scific MY CART 


HOME SHOP BRANDS 


Hyosung Cortex Mainboard For NH 2700CE, NH 18005Е, Halo/S, Halo 11, 1500SE & More, Refurbished 


nber: 31050REF 


Hyosung Cortex Mainboard For NH 
2700CE, NH 1800SE, Halo/S, Halo Il, 
1500SE & More, Refurbished 


Starting at:$400.00 


ight: 1lbs 
d by: Nautilus Hyosung 


Qv: 1 Y ADD TO CART 


Let's take the easy way out 


e We gota new board, but we don't want to break it again 
e Maybe someone did some reverse engineering and put it online? 
e Maybe the firmware is already online? 

o lt'san ATM, so probably not right? 

o Ormaybe firmware is behind some paywall 


Firmware publicly available 


Model Update 


1500SE (1500 EMV Upgraded) DOWNLOAD 


1800SE 

2700 

2700T 

HALO & HALO II 
MX5000SE 
MX5200SE 
FORCE 


MX4000W 


1800CE 
5000CE DOWNLOAD 
5300CE 


Full firmware 
update 


EBOOT21s.bin 


Bootloader OS files 
(Windows CE (Windows 
Format) CE format) 


WinATM.exe 
TranCtrl.dll 


DevCtrl.dll 
NetCtrl.dll 
Data\ 
Wave\ 


Application 
binaries 


Dispense Money 


; Exported entry 351. ?fnCDU_Dispense@CDevCmn@@QAAHHEZ 


EXPORT  fnCDU Dispense CDevCmn  QAAHH Z 
.fnCDU Dispense CDevCmn  QAAHH Z 

SP!, (R4-R6,LR) 

R6, 

R5, 

R3, #1 

R1, #8 ; int 

R3, 

R4, 

.fnAPL GetDefineDevice CDevCmn  QAAHH 2 

RO, #0 

loc 120F60 


; public: int _ cdecl CDevCmn::fnSPR PrintReceipt(int, class ATL::CStringT«wchar t, class StrTraitMFC DLL«wchar t, class ATL::ChTraitsOS«wc 
EXPORT fnSPR PrintReceipt CDevCmn QAAHHV $CStringT НУ $StrTraitMFC DLL WV $ChTraitsOS И ATL ATL ННН 2 
fnSPR PrintReceipt CDevCmn ОААННУ $CStringT WV $StrTraitMFC DLL ИУ $ChTraitsOS И ATL ATL  HHH Z 
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Analyzing application firmware with IDA 


First firmware modification attempt 


e Tried to change the "Please 
wait while Loading" screen to 
"Please wait while Pwning" 

e Got stuck on the boot up screen 


Stuck on boot screen of ATM 


Microsoft code signing 


Lo EM : 
wae WinAtm.exe Properties 


e Ensures software has not been 
corrupted by third-party 

e In our case, our application binaries 
are signed with a certificate with 
MX5300CE 

e We don't know where the certificate 
is, how the verification process works 
etc. 


Digital Signature found on application 


Reverse 
engineer code 
signing algorithm, 
Create our 
own certificate, 
resign everything 


Return 
True 


BINFS 


e nk.bin is packaged in BinFS format 


BINFS Header 


Record1 
e Thekernel and libraries are packed in a record Record1 address 
. | . Record1 length 
in the BinFS file Data? 


Checksum1 


LTE: 


Record2 
Record2 offset 


Em 


О" many 
22 
5; т : 


Record2 length 
Data2 
Checksum2 


2190225262221222222222205004929992 


Main board with TSOP48 NAND Flash 


Understanding the kernel binary 


Windows CE binary 


Understanding the kernel binary 


‘ECEC’ (CE magic) 
start address 


ROMHDR ptr 


Windows CE binary 


Understanding the kernel binary 


'ECEC' (CE magic) 
start address 


ROMHDR ptr 


Understanding the kernel binary 
шше === 


ROMHDR ріг 


header 


Physical start addr 


Physical end addr 
ROM HDR structure Е СИВ 
# files 


Module Entries 


Windows CE binary 


Understanding the kernel binary 


‘ECEC’ (CE magic) CE Header 
start address 


ROMHDR ptr 


header 


Physical start addr 
Physical end addr 


# dlls 
ROM HDR structure 4 files 


Module Entries 


Windows CE binary 


Module Entries 


Name: nk.exe 

Start addr: 0x80020000 
Size: 0x12C00 

E32 addr: OX3B2F90 
O32 addr: 0x01618FAO 


Name: kernel.dll 

Start addr: 0х80030000 
Size: 0x3C400 

E32 addr: 0x81CF90 
O32 addr: 0x14B4FB4 


Bypassing Signature verification 


filesys.dll Properties 


e Used eimgfsto extract files General Security Details Previous Versions 
o https://github.com/nlitsme/eimgfs 
e Most of the firmware is signed... 

But not all files are 

e Thekernel binaries are unsigned, kawa «аф Common Гіс Format Ба ES 
including Filesys.dll, a File that checks Location: C:\Users\User\Desktop\nhv21snk_dumprom 
For certificate verification Size: 235 KB (241.316 bytes) 


x [Пезуз dll 


Type of file: Application extension ( dll) 


Size on disk: 236 KB (241,664 bytes) 


No Digital Signatures on kernel binaries! 


[SP, #0x2C+var_2C] 


R9,LSR+1 


failed for 


(5Р,#0х2С+уаг 28] V RO, #4 
loc C01348EC 
function sub C013480C 


PE 


loc_C01348EC 

ADD 

LDMFD à 4-R11,LR} 
BX 


Control Flow Graph of CertVerify Function in IDA 


1. Found the 
certificate E 
verification NOV AS 
Function ov 3 


SP, #0х2С+уаг 28 
Ral 


CertverifyFail ; 
R6 


loc_C01348F8 
RO, [SP,#0x2C+var_28]| MOV 


PE 


loc_C013 
ADD SP, #8 
LDMFD 1, (R4-R11,LR) 


Control Flow Graph of CertVerify function in IDA 


1. Found the BE 
certificate ana ne! аан 


есе е t [SP,#0x2C+var_2C] 
verification MOV з, RS inkl 

Š Оу R2 10 

Оу $] R6 

function or u, R6 


R, PC 


=aCertverifyFail ; " 
R1, R6 
sub C014444C 


RO, #4 
loc C01348EC 
f function sub с013480 


| 2. Successful 
аа sri, (и operations 
returns 4 to the 
caller 


Control Flow Graph of CertVerify function in IDA 


1. Found the 
certificate : Ф 
verification = IS 
Function оу п, R6 


=aCertverifyFail ; " 
R1, R6 
sub C014444C 


` £ == 


RO, #4 
loc_C01348EC 


f function sub_C013480( 


3. Instead of returning 


2. Successful 
operations 


an error code, modify it 
to "MOV RO, #4” 


returns 4 to the 
caller 


Control Flow Graph of CertVerify Function in IDA 


Pwning the ATM 


e Successfully bypassed signature 
verification of the kernel 

e Able to modify firmware, add our 
own custom code on the ATM 


It boots, but doesn't work as an ATM 


e Each update takes 20 minutes 
o Each update resets the ATM and we need to manually punch in the 
settings every time 
e Foundalot of peculiar commands 
o You can clear NVRAM by hitting Clear, Left, Right, Clear, Clear Cancel 
within 5 seconds of the loading screen 
o Enter» Clear > Cancel > 1 > 2 > 3 brings you to the operator screen 


What do we have now? 


JTAG 

Full firmware (with debugging symbols) 

Full firmware update process 

Ability to modify, add and remove executables from the ATM 


Stuck on the host screen 


What is the Triton Protocol? 


rocessor 


What is the Triton Protocol? 


4 Types of request/response pairs 
Configurations 

Transaction 

Host Totals 

Reversals 

Documentation can be found with 
enough google-fu, but itis very out 
of date 

Used wireshark to figure out the 
correct request/response format 


Омог 0570 


Triton Terminal 
Communications Protocol 
And Message Format Specification 


Б Triton 


A COMPANY 
PRELIMINARY 


VERSION TSCD5.22 


July 19, 2004 


PHONE: (228) 868-1317 
FAX: (228) 868-0437 


Limitations 


Triton Documentation found online 


First request: Configuration 


a ermina LID 
Transaction Code: 60 (Configuration) 


Payment 
Processor 


First response: Gonfiguration 


ATM Terminal ID 
Transaction Code: 60 (Configuration) 


м— > 


Payment 


Processor 


» ——————————————S 


ATM Terminal ID 
Transaction Code: 60 (Configuration) 
Surcharge amount 


Subsequent requests: Transaction 


ATM Terminal ID 

Transaction Code: Balance Inquiry/Withdrawal 
Card Number, Encrypted PIN key, withdraw 
balance, 


Payment 


Processor 


subsequent responses: Transaction 


ATM Terminal ID 

Transaction Code: Balance Inquiry/Withdrawal 

Card Number, Encrypted PIN key, withdraw 

balance, 
— О 


Payment 


Processor 


» ——————————————S 


ATM Terminal ID 
Transaction Code: Balance Inquiry/Withdrawal 
Response Code: Success/Error Code 


Is our information encrypted? 


e Yes! 
e TLS/SSL 

o Operators can opt to use SSL or TLS to encrypt the Triton traffic 
e PIN numbers have an extra layer of protection 

o Most uses Triple DES encryption 


Step 1: PIN Block Construction 


nnm N-digit PIN 14-N padding 


Step 2: PIN Encryption on ATM 
ClearText DES Encrypt DES Decrypt DES Encrypt CipherText 
PIN Block with K1 with K2 with K1 PIN Block 


Step 3: PIN Decryption on Server 


Ciphertext DES Encrypt DES Decrypt DES Encrypt ClearText 
PIN Block with K1 with K2 with K1 PIN Block 


Shared key between AIM and Server 


e When the АТМ is setup, the 
technician would punch in a two 
64-bit key 

e Thesetwo keys are XOR-ed 
together to form a MASTER key 

e TheServer also has knowledge of 
the key, but this is NOT the key 
used to encrypt the PIN 


Payment 
MASTER KEY y MASTER KEY 


Processor 


Tae Payment MASTER KEY 
MASTER KEY | (+ = | Processor 


I'm using TDES | 


= = | Payment MASTER KEY 
MASTER KEY - : | Processor 


I'm using TDES | 


TDES Encrypts two other 
keys: K1 and K2, with the 
MASTER KEY 


3 = | Payment MASTER KEY 
MASTER KEY = | = Processor 


I'm using TDES | 


TDES Encrypts two other 
keys: K1 and K2, with the 


sends encrypted K1 3 MASTER KEY 


= = | Payment MASTER KEY 
MASTER KEY = = Ed Processor 


I'm using TDES | 


TDES Encrypts two other 
keys: K1 and K2, with the 


sends encrypted K1 3 MASTER KEY 


Decrypts K1 and K2 
with MASTER KEY 


= = | Payment MASTER KEY 
MASTER KEY = = Ed Processor 


I'm using TDES | 


TDES Encrypts two other 
keys: K1 and K2, with the 


sends encrypted K1 3 MASTER KEY 


Decrypts K1 and K2 
with MASTER KEY 
Someone enters their 
PIN 


3 gi | Payment MASTER KEY 
MASTER KEY š | = Ed Processor 


I'm using TDES | 


TDES Encrypts two other 
keys: K1 and K2, with the 


sends encrypted K1 3 MASTER KEY 


Decrypts K1 and K2 
with MASTER KEY 


Someone enters their 
PIN 


PIN is encrypted with 
K1 and K2 


3 gi | Payment MASTER KEY 
MASTER KEY = = Processor 


I'm using TDES | 


TDES Encrypts two other 
keys: K1 and K2, with the 


sends encrypted K1 3 MASTER KEY 


Decrypts K1 and K2 
with MASTER KEY 


Someone enters their 
PIN 


PIN is encrypted with 


K1 and K2 Sends encrypted PIN 


3 gi | Payment MASTER KEY 
MASTER KEY = = Processor 


I'm using TDES | 


TDES Encrypts two other 
keys: K1 and K2, with the 


sends encrypted K1 3 MASTER KEY 


Decrypts K1 and K2 
with MASTER KEY 


Someone enters their 
PIN 


PIN is encrypted with 


K1 and K2 Sends encrypted PIN 


Decrypts PIN with K1 
and K2 


Triton Pi 


ATM finally functional! Triton Protocol running on raspberry PI 


Port scan! 


What's listening? 


Services 


Found 8 open ports 
(8083 scanned). 


. 80 World Wide Web HTTP 
• 443 http protocol over TLS/SSL 
5555 Personal Agent 
8001 VCOM Tunnel 
8003 Mulberry Connect Reporting Service 
8004 
8006 World Programming analytics 


8010 


Found 8 open ports 
(8083 scanned). 


80 World Wide Web HTTP | 
Windows CE webserver 


443 http protocol over TLS/SSL 


5555 Personal Agent 

8001 VCOM Tunnel 

8003 Mulberry Connect Reporting Service 
8004 

8006 World Programming analytics 


8010 


өөө KD Ш лоо б ЕБ in 


The Windows Embedded CE Web Server is enabled on this device. 


This file is a placeholder and should be replaced. Please see your Platform Builder 
docs or our web site at http://msdn.microsoft.com/embedded. 


` SHODAN product:"ChipPC Extreme httpd" 


Windows CE Online sem 


e Many WinCE devices with web servers 
о... оп the public internet 

e Had good results with this query 
o product:”ChipPC Extreme httpd” 


HTTP (8080) 
8081 

HTTP (81) 
Kerberos 


Verizon Wireless 


Deutsche Telekom AG 


Vodafone Spain 


Found 8 open ports 
(8083 scanned). 


. 80 World Wide Web HTTP 
• 443 http protocol over TLS/SSL 
m 
8001 VCOM Tunnel 
8003 Mulberry Connect Reporting Service 
8004 
8006 World Programming analytics 


8010 


RMS 


| ATM LISTENING 
EN/DISABLE | PORT 


CANCEL TO RETURN 


Found 8 open ports 
(8083 scanned). 


. 80 World Wide Web HTTP 
• 443 http protocol over TLS/SSL 
Remote Management System 
5555 Personal Agent (RMS) 
8001 VCOM Tunnel 
8003 Mulberry Connect Reporting Service 
8004 
8006 World Programming analytics 


8010 


Found 8 open ports 
(8083 scanned). 


. 80 World Wide Web HTTP 
e 443 http protocol over TLS/SSL 
5555 Personal Agent 
VCOM Tunnel o.l 


Mulberry Connect Reporting Service 


World Programming analytics 


(У) 


What | is RMS? 


Remote Monitoring/Management 
Service/System 
e Lets customers to control a 
collection of ATMs remotely 
o Updatefirmware 
o Check amount of money left 
o Download transaction history 


setting up RMS on the ATM 


Optional functionality: Users 
can enable/disable it sj 
Default port at 5555 
Uses ATM terminal ID and 
custom password for 
verification 


How RMS works 


e Close to no documentation on RMS 
e Used a combination of wireshark, Ghidra and IDA to figure out the 
communication protocol 


RMS Packet Structure 


e Communication is obfuscated with a XOR table 


Content 
STX (0x02) 
XX XX 

XX 


ETX (0x03) 
XX 


Description 

RMS start byte 

Data length (n) 

Encryption seed 

Encoded data 

RMS end byte 

Longitudinal Redundancy Check (LRC) 


Not the first time looking at RMS 


Barnaby Jack's (2010) jackpotted the ATMs via a vulnerability in RMS 
The RMS packet structure is still the same 

Obfuscation technique did not change 

Malformed packet lead to authentication bypass and eventual firmware 
modification 

e Sothe service should be secure now.... right? 


Boo Fuzz! 


e We want to fuzz it, but we don't want to setup 
the memory or emulate windows CE functions 
Network Fuzzer 
Test different types of inputs automatically 
Only need to define the protocol in code, and 
it does the rest. 


Got 5* crashes 


e Everytime we send an obscenely 
large packet (more than 10 kB), 
the device would crash and reboot 

e This happens regardless of the 
terminal ID and password we send 
in the device 

e With JTAG, we figured out that 
the crash happened in 
RMS Proc Tcp() in RMSCtrl.dll 


A closer look at RMS_Proc_Tcp() 


CDevCmn:fnNET RMSConnectAccept() Accepts incoming connection 


A closer look at RMS_Proc_Tcp() 


CDevCmn:fnNET RMSConnectAccept() Accepts incoming connection 


Receives RMS packet, decrypts with XOR 


CRmsCtrl::RMS_Recv() table 


A closer look at RMS_Proc_Tcp() 


CDevCmn:fnNET RMSConnectAccept() Accepts incoming connection 


| 


CRmsCtrl::RMS_Recv() 


| 


CRmsCtrl::RMS_VerifyMsg() Verifies ATM Terminal ID and password 


Receives RMS packet, decrypts with XOR 
table 


A closer look at RMS_Proc_Tcp() 


CDevCmn:fnNET RMSConnectAccept() Accepts incoming connection 


CRmsCtrl::RMS_Recv() Receives RMS packet, decrypts with XOR 
| table 
CRmsCtrl::RMS_VerifyMsg() Verifies ATM Terminal ID and password 


| 


CRmsCtrl::RMS_ParseCMD() Parses RMS command 


A closer look at КМ Ргос Тср() 


CDevCmn:fnNET RMSConnectAccept() Accepts incoming connection 


| 


CRmsCtrl::RMS_Recv() Receives RMS packet, decrypts with XOR 


| table 
CRmsCtrl::RMS_VerifyMsg() Verifies ATM Terminal ID and password 
CRmsCtrl::RMS_ParseCMD() Parses RMS command 


| 


CDevCmn::RMSConnectClose() Closes RMS connection 


A closer look at RMS_Proc_Tcp() 


CDevCmn:fnNET RMSConnectAccept() Accepts incoming connection 


Receives RMS packet, decrypts with XOR 


CRmsCtrl::RMS_Recv() 


table 
CRmsCtrl::RMS_VerifyMsg() Verifies ATM Terminal ID and password 
CRmsCtrl::RMS_ParseCMD() Parses RMS command 


| 


CDevCmn::RMSConnectClose() Closes RMS connection 


What exactly went wrong 


e Buffer Overflow: CRmsCtrl::RMS_Recv() copies the TCP packet to a global 
buffer without bounds check 

e Arbitrary code execution: This overflow eventually overwrites a function 
pointer that gets called when the application exits 

e This copy happens before any kind of terminal ID/password verification 
As long as your packet structure is sound, the buffer overflow would happen 


What can the attacker do? 


Most DLLs are paged out as the 
application exits, except for the 
Functions that controls the 
NVRAM 
e What does NVRAM control? 
o Basically anything on the 
admin screen 


What is controlled by the NVRAM? 


DENOMINATION 


Point the ATM to a malicious server Change denomination of ATM 


RMS Vulnerability Demo 


Interacting with the ATM 


e Howto run executables? 
o Wecanrun a few atthe start by hijacking 
initialization routines via JTAG 
o Pretty clunky 
e How to provide input? 
o Keyboard and mouse don't 
work at all 
e What appeared to be a client USB 
port didn't work in our testing 
o Could have been missing 
drivers, wrong software, etc... 


Compile our own tool 


e It's Windows СЕ 
e lt'sastandard platform 
e How hard can it be? 


| 


pd] Visual Studio 


Caveat 


e It’s Windows CE 6.0 
o Technically, "Windows Embedded 
CE 6.0" 
o Microsoft got really into changing 
the name after 5.0 
e |Е was released in 2006 
e It’sold 


Microsoft‘ 


Visual Studio 2008 


File Edit View Tools Test Window Help 

FAME Ae a ЕР ЕР NN ESTE Апу cru - @® reader МИ AUS GARI. 

vx Solution Explorer ax 
^| 


StartPage | 


Microsoft 


Visual Studio 2008 


New Project 


Templates: ‚NET Framework 3.5 3 d, or your internet connection might be unavailable. То 
= ions, then expand Environment and click Startup. 


Project types: 
& Visual C# Visual Studio installed templates 
Windows mm 
Web 
Smart Device 
# Office My Templates 
Database 
Reporting 
Test 
WCF 
Workflow 
E Other Languages 
E Other Project Types 
& Test Projects 


E Search Online Templates... 


A project for Smart Device applications. Choose target platform, Framework version, and template in the next dialog box. d 


Name: SmartDeviceProject1 


Location: C:\Documents and Settings\Administrator\My Documents\Yisual Studio 2008\Projects 
Solution Name: SmartDeviceProject1 Create directory for solution 


Find Results 1 | find Symbol Results | 


Building with Cf 


Runs on the .NET framework 
ATM has the framework built in! 
Compact framework M icrosoft 
o Like the CE kernel... most of 
the features are there, but it's 
just different enough to be O 
annoying 
e Older version 
o Useful modern features are 
missing 
o Can't always just copy/paste 
from StackOverflow 


ATMHTIP.exe 


e There isactually a web server built into the ATM 
o httpd.dll 
o ...but no DLL for ASP 
o Just serves up httpd default.html 
e Most useful HTTP primitives aren't in the .NET 
version we're using 
o https://github.com/jeske/SimpleHttpServer 
e Fastforward a bit, and now we have a web server 


The Windows Embedded CE Web Server is enabled on this device. 


а АТМНТТР (Running) - Microsoft Visual Studio 

File Edit View Project Build Debug Data Tools Test Window Help 
О не хавћо-хо-Ф-љ | > 
USA Windows Mobile 5.0 Pocket PCR: + 4: 21 47 ev AG Е + 
index.html Httputil.cs | toolhelp.cs | HttpServerBase.cs | coredl.cs | MainForm.cs 


HSBC&L - Windows Internet Explorer 


Це) Ht0:1110.37.129,5 ЕЛ Х] [2 


| Client Objects & Events 


' = 
£x html» а - a СІ @ ~ Pape Safety ~ Tools» @- » 
в <head> 

<meta name-"viewport" content="width=device-width, initial-scale=1.0"> 
<title>HSBCsamp;L</title> s Happy Save 
<link rel="stylesheet" type="text/css" href="style.css"> № Pocket PC - WM 5.0 4 Е! Banking Corporation 
L </head> — and Laundry Service 
E <body> 
5 <div id="container"> 
A <div id="header"> 
<a href="index.html"><img src-"logo.gif" height="80px| 
<a id="login" href="login.html">LOGIN</a> — Welcome to the HSBC&L ATM web portal! 
- </div> | Settings Ye 
а <div id="nav"> NE2000 Compatible Ethernet Driver 
<a href="index.html">HOME</a> 
<a href="readme.html">ABOUT</a> O use server-assigned IP address 
«a href="news.html">NEUS</a> р 
| </aiv> анна === View the СТЕ Leaderboard here! 
5 <div id="content"> - - 
Фр JOIN OUR LAUNDERING WEBRING 
<> BCCI | Wachovia | Nauru 
<i>Welcome to the HSBC&L ATM web portal!</i> 
<р EMPLOYEE PORTAL 
Фр> SESS аналығы РУР. 
Фр ©2005 Happy Save Banking Corporation (and Laundry!) 
<br> Ч 
| gi EZ) 
5 <div id="footer"> 
5 <div> 
<a href="http://10.0.0.3:5000">View the CTF Leade 
<br> 
<hr> 
<a href-ma 
<br> 
<hr> 
<div><a href-"./portal/"»EMPLOYEE PORTAL</a></div 
<hr> 
scopy;2005 Happy Save Banking Corporation (and Laundry!) 
F </div> 
<div><img src=onlyie4.gif>enbsp; enbsp; enbsp;<img src-secure.gif height-"5 
F </div> 
F </div> 
H </body> 
L </html> 


Launching on startup? 


e Hooking into the ATM with a debugger at 
startup every time 


O 


O 


О 


Very manual process 

Write ATMHTTP.exe into flash 

Then we use the debugger to launch 
ATMHTTP.exe instead of WinAtm.exe 
ATMHTTP.exe performs some 
initialization, then starts WinAtm.exe 


e We could reverse this startup procedure 


e Orfind a way to edit the Windows CE registry 


and launch another process on startup 


ІШ 
ME UP 


(/ е 
WinAtm.exe | 


Just rename it 


Boot ———=> WinAtm.exe -----> WinAtn.exe 
our webserver original WinAtm.exe 


Native code? 


e We'veonly been building on .NET 
e What does it take to run native code? 
e Surely not that much more 


ь Microsoft‘ 


Visual Studio 2008 


У У А4: ҮКҮ. 


We need to со deeper 


e VS2005 
o And all the trimmings 


o 6different installers to find 


o Shout out to archive.org 


e Really need Board Support Package (BSP) 
o Can use the built-in ones for our needs 


ШИ 1 - VS2005 

ШЕ 2 - Windows Embedded CE 6.0 
ШЕ 3 - Team Suite SP1 for VS2005 
ШЕ 4 - Windows СЕ 6.0 5Р1 

ШЕ 5 - Platform Builder 6 R2 

ШЕ 6 - Platform Builder 6 ЕЗ 


Microsoft’ 


Visual Studio 2005 


Project types: Templates: 

в Visual C++ | Visual Studio installed templates | А 
ATL rre Windows Embedded CE 6.0 OS Design Wizard 
ав 05 Des E = 
General | 


MFC . My Templates 
"c did | Design Templates 
Win32 (search Online Templates... A igi p 


+ Other Languages 
+. Other Project Types 
Platform Builder For CE 6.0 


Available design templates: 


| Windows Embedded CE 6.0 OS Design Wizard Consumer Media Device A design template is a set of predefined 
| mer Device catalog items. 
Industrial Device. 
RN Welcome to the Windows Embedded CE 6.0 0S Design Wizard |PDA Device Choose the design template that is most 
: ¡Phone Device closely aligned with the purpose of your 
| Small Footprint Device target device, 


Name: LOSDesigns This wizard guides you through the process of creating an OS design for a CE 6.0 b Thin Client 

Location: | C:\WINCE600\0SDesigns platform. An OS design defines the characteristics of a CE 6.0 OS. Provides the starting point for an industrial 
к==========—— automation device such as a human-machine 

Solution Name: OSDesign5 You can create an OS design by choosing a design template and one or more board interface (HMI) panel or a programmable 


д packages (BSPs). A BSP includes an OEM adaptation layer (OAL) and device logic controller (PLO), 


A project for creating a Windows Embedded CE 6.0 op 


This wizard helps you: 

Choose a BSP, 

Choose a design template. 

Add items to your OS design or remove items from it. 


To continue, click Next, 


ATMHTIP Debugging Features 


e We don't have a console to interface with 
e Also, running a command on Windows CE and reading its stdout is 
ridiculously complicated 
o You have to set up a device and do some arcane magic 
e Just set up endpoints for running useful commands 
o run command, dir, ps, kill, read file base64, write file base64, 
copy. file, reg subkeys, reg values, reg dump, reg write, 
activatedeviceex, deactivatedevice, activateservice, send key, 
send keydown, send keyup, send click 


ATMHTIP Debugging Features 


e We don't have a console to interface with 
e Also, running a command on Windows CE and reading its stdout is 
ridiculously complicated 

o You have to set up a device and do some arcane magic 

e Just set up endpoints for running useful commands 
o run command, dir, ps, kill, read file base64, write file Ы 
copy. file, reg subkeys, reg values, reg dump, reg writed 
activatedeviceex, deactivatedevice, activateservice, send ` 
send keydown, send keyup, send click 


Registry Dump 


iade BE Ба а АДА ЗАВЕО АЙ АА O ВАВ O 
HKEY_LOCAL_MACHINE\Comm\HTTPD\MaxLogSize:32768 (DWord) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\LogFileDirectory:\windows\www (String) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\NTLM:1 (DWord) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\Basic:0 (DWord) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\AdminUsers:ADMIN (String) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/\Default:\windows\www\wwwpub\ í 
HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/\a:0 (DWord) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/MsmqAdmin\Default:\windows\msm 
HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/MsmqAdmin\a:2 (DWord) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Msmq\Default:\windows\srmplsapi.¢ 
HKEY_LOCAL_MACHINE\Comm\HTTPD\ScriptMap\.wsdl:soapisap.dll (String) 
HKEY_LOCAL_MACHINE\Comm\HTTPD\ScriptMap\.wsml:soapisap.dll (String) 
HKEY_LOCAL_MACHINE\Comm\UDP2TCP\Port:7438 (DWord) 
HKEY_LOCAL_MACHINE\Comm\UDP2TCP\DNS\Port:53 (DWord) 
HKEY_LOCAL_MACHINE\Comm\Redir\RegisterFSRoot:1 (DWord) 
HKEY_LOCAL_MACHINE\Comm\IrDA\Linkage\Bind:System.String[] (MultiString) 
HKEY_LOCAL_MACHINE\Comm\Irsir\Linkage\Route:System.String[] (MultiString) 
HKEY_LOCAL_MACHINE\Comm\Irsir1\Parms\IntIR:1 (DWord) 
HKEY_LOCAL_MACHINE\Comm\tIrsir1\Parms\TransceiverType:0 (DWord) 
HKEY_LOCAL_MACHINE\Comm\Irsir2\Parms\BusNumber:0 (DWord) 
HKEY_LOCAL_MACHINE\Comm\Irsir2\Parms\BusType:0O (DWord) 
HKEY_LOCAL_MACHINE\Comm\Irsir2\Parms\IntIR:1 (DWord) 
HKEY_LOCAL_MACHINE\Comm\Irsir2\Parms\TransceiverType:0 (DWord) 
HKEY_LOCAL_MACHINE\Comm\Irsir2\Parms\DisablePowerManagement:1 (DWord) 
HKEY_LOCAL_MACHINE\Comm\Irsir2\Parms\CheckForHangTimelnSeconds:3600 (DWoi 
HKEY_LOCAL_MACHINE\Comm\SW АТРРР Modem\Parms\Tcpip\TcpWindowSize:25696 


УР IMCAI AAACLIINIC\ CammlCusMIDIICDAIMIC\ Mier] АА. Си ГИ ЛАА А ЗА (Све ДА 


Registry Dump 


Registry Dump 


HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\Auxiliaries\port 
8001 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\Auxiliaries\Class 
SIU (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\CardReader\port 
8003 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CardReader\Class 
IDC (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CashDispenser\port 
8004 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL, SERVICES\CashDispenser\Class 
CDM (String) 


Registry Dump 


HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\Auxiliaries\port 
8001 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL._SERVICES\Auxiliaries\Class 
SIU (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\CardReader\port 
8003 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CardReader\Class 
IDC (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CashDispenser\port 
8004 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL, SERVICES\CashDispenser\Class 
CDM (String) 


Registry Dump 


HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\Auxiliaries\port 
8001 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL, SERVICES\Auxiliaries\Class 
SIU (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\CardReader\port 
8003 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CardReader\Class 
IDC (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CashDispenser\port 
8004 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\CashDispenser\Class 
CDM (String) 


What are we looking at? 


Here's a hint... 


Registry Dump 


HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\Auxiliaries\port 
8001 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL. SERVICES\Auxiliaries\Class 
SIU (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\CardReader\port 
8003 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CardReader\Class 
IDC (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CashDispenser\port 
8004 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL. SERVICES\CashDispenser\Class 
CDM (String) 


XFS! 


No, not the filesystem. 


What is XFS? 


eXtensions for Financial Services 


LANA US) єў! +. VE 


Service Class 

Printers 

Identification Card Units 
Cash Dispensers 

PIN Pads 

Check Readers and Scanners 
Depository Units 

Text Terminal Units 

Sensors and Indicators Units 
Vendor Dependent Mode 
Cameras 

Alarms 

Card Embossing Units 
Cash-In Modules 

Card Dispensers 

Barcode Readers 

Item Processing Modules 


Class Name 
PTR 
IDC 
CDM 
PIN 
CHK 
DEP 
TTU 
SIU 
VDM 
CAM 
ALM 
CEU 
CIM 
CRD 
BCR 
IPM 


Class Identifier 


N о ~ ON A +. O м 


cen FAQ | Sitemap | Acronyms | Contact US 
T European Committee for Standardization == 
WHO WE ARE | MEMBERS | WHAT WE DO | WORK AREA | MEETING FACILITIES SEARCH STANDARDS 


Home » What we do » Fields of work » ICT » eBusiness 


Our products 


Standards development е Я E 
Business sectors CWA16926 


Research & innovation 
In March 2015, the CEN XFS Workshop released version 3.30 of the XFS specification under CWA 16926. The version 3.30 release extends the 


Supporting public policies and functionality and capabilities of the existing devices covered by the specification, but does not include any new device classes. Notable 
ВЕНЕ enhancements include support for EMV Intelligent Contactless Readers, TR34, Encrypting Touch Screen, enhanced reporting of shutter jam 
Trainings status for various devices and the addition of new commands to allow better support for the Asian marketplace. 


Find your way Migration from previous 3.x releases to 3.30 should be a manageable effort as the XFS 3.30 release was designed with backwards compatibility 


in mind. However, in order to assist with this effort a set of migration documents have been produced and are available within the CWA. The 
additional features supported in the existing device classes are detailed in these migration documents, and it is recommend that they should be 
used as a guide to the enhancements and new features contained in the release. “ 


Keymark 


Extensions for Financial Services (XFS) interface specification Release 3.30 (all documents are in PDF format): 
Part 1: Application Programming Interface (API) - Service Provider Interface (SPI) - Programmer's Reference 
Part 2: Service Class Definition - Programmer's Reference 

Part 3: Printer and Scanning Device Class Interface - Programmer's Reference 

Part 4: Identification Card Device Class Interface - Programmer's Reference 


Part 5: Cash Dispenser Device Class Interface - Programmer's Reference 


Part 6: PIN Keypad Device Class Interface - Programmer's Reference 
Part 7: Check Reader/Scanner Device Class Interface - Programmer's Reference 


Part 8: Depository Device Class Interface - Programmer's Reference 


Part 9: Text Terminal Unit Device Class Interface - Programmer's Reference 


Part 10: Sensors and Indicators Unit Device Class Interface - Programmer's Reference 


Part 11: Vendor Dependent Mode Device Class Interface - Programmer's Reference 


Part 12: Camera Device Class Interface - Programmer's Reference 


Part 13: Alarm Device Class Interface - Programmer's Reference 


Part 14: Card Embossing Unit Device Class Interface - Programmer's Reference 


ftp://ftp.cen.eu/CWA/CEN/WS-XFS/CWA16926/CWA 16926-1.pdf 


CEN 


CWA 16926-5 
WORKSHOP August 2015 


AGREEMENT 


ICS 35.200; 35.240.15; 35.240.40 


English version 


Extensions for Financial Services (XFS) interface specification 
Release 3.30 - Part 5: Cash Dispenser Device Class Interface - 
Programmer's Reference 


This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of 
which is indicated in the foreword of this Workshop Agreement. 


The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National 
Members of CEN but neither the National Members of CEN nor the CEN-CENELEC Management Centre can be held accountable for the 
technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. 


This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. 

This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. 
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, 
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, 


Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United 
Kingdom. 


CEN 


CWA 16926-5 
WORKSHOP August 2015 


AGREEMENT 


ICS 35.200; 35.240.15; 35.240.40 


English version 


Extensions for Financial Services (XFS) interface specification 
Release 3.30 - Part 51 Cash Dispenser Device Class Interface} 
Prögrammers Rererence 


This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of 
which is indicated in the foreword of this Workshop Agreement. 


The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National 
Members of CEN but neither the National Members of CEN nor the CEN-CENELEC Management Centre can be held accountable for the 
technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. 


This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. 

This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. 
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, 
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, 


Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United 
Kingdom. 


N 
#10 TE 
| - ? ЛЕ г” dre = 
5 4 


ж 
/ 
z 
РА 
un 


— Zu 


gise ві 
"m 


anar O ee 
HO-HO-HO! 
LET'S MAKE SOME 


Code: 16517234 |] | CHECK HEAT | | CHECK HEAT | | CHECK HEAT | [CHECK HEAT | 


| Stop! J [ Reset | [start cooking! | [start cooking! | start cooking! start cooking! 


Back to the ports 


something related to XFS... 


Registry Dump 


HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\Auxiliaries\port 
8001 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL._SERVICES\Auxiliaries\Class 
SIU (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL SERVICES\CardReader\port 
8003 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CardReader\Class 
IDC (String) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL_SERVICES\CashDispenser\port 
8004 (DWord) 

HKEY_USERS\.DEFAULT\XFS\LOGICAL, SERVICES\CashDispenser\Class 
CDM (String) 


Registry Key 
Auxiliaries 
Doors 
GuideLights 
Indicators 
Sensors 

Camera 
CardReader 
CashDispenser 
ШӘЙ Encryptor 

¡MN OperatorPanel 
РА ReceiptPrinter 
¡EM RFIDReader 

IE VendorDependentMode VDM 
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Auxiliaries 
Doors 
GuideLights 
Indicators 
Sensors 
Camera 
CardReader 
CashDispenser 
Encryptor 
OperatorPanel 
ReceiptPrinter 
RFIDReader 


Sheet1 


Registry Key 


-. 


IDC 


VendorDependentMode VDM 


Service Class 

Printers 

Identification Card Units 
Cash Dispensers 

PIN Pads 

Check Readers and Scanners 
Depository Units 

Text Terminal Units 

Sensors and Indicators Units 
Vendor Dependent Mode 
Cameras 

Alarms 

Card Embossing Units 
Cash-In Modules 

Card Dispensers 

Barcode Readers 

Item Processing Modules 


Class Name 
PTR 
IDC 
CDM 
PIN 
CHK 
DEP 
TTU 
SIU 
VDM 
CAM 
ALM 
CEU 
CIM 
CRD 
BCR 
IPM 


Open 
Ports 


Open 


Ports + XFS 


Packet structure? 


Can connect to the ports, but don't see any traffic. 


Let's sniff them. 


How do the packets smell? 


Contrast — Contrast + 


Wireshark version for Win CE 


(3 Is there а Wireshark version | can use on a Windows CE mobile computer? 
0 


version | question 
asked 11 Oct '17, 11:02 
4 a Chris K 
Pam.’ 6010102 
1 = * accept rate: 0% 


— One Answer: active answers oldest answers newest answers popular answers 
0 Is there a Wireshark version | can use on a Windows CE mobile computer? 
No. 
permanent link answered 11 Oct '17, 11:24 


ті, Guy Harris 4+ 
AE 17.4К:3-35е196 
а 


accept rate: 19% 


WinCE does have packet 
capture abilities... 


But it's not built into the ATM image 


JTAG! 


to de : 


|- intencept socket create cally 
. map socket handles to senvices 
- intercept socket send and гест, calls 
- save all traffic 


. acque cutlets 


„Да. Graph overview 


=aDefaultXfsLogi ; ".DEFAULT\\XFS\\LOGICAL_SERVICES\\" 


#0xFFFFFIFF 
RO, #0x5B 
R11, RO ; char * 


сру 
[R11,#1pvThreadParam] 
R3, #0x20 ; ' ' 

[R3] ; char * 
SOxFFFFF9FF 

RO, #0x5B 

R11, RO char * 


RO, RO, #0x5B 
RO, R11, RO ; 
strlen 


1811,#уаг 50] 
#0x100 
[SP, #0x66C+cchWideChar] ; cchWideChar 
R11, #-WideCharStr 
[SP,#0x66C+lpWideCharStr] ; lpWideCharStr 
[811,#уаг 50] 

; cbMultiByte 


; lpMultiByteStr 
; dwFlags 
; CodePage 


MultiByteToWideChar 


R11, #-phkResult 
[SP,#0x66C+lpWideCharStr] ; phkResult 
#0x20019 ; samDesired 

#0 ; ulOptions 

Rll, #-WideCharStr ; lpSubKey 

# ; hKey 


RegOpenKeyExW 


1811 ,#уаг 4C] 
[811,#уаг 4С] 
[R11,#var_14C] 
[ar me 346] 
0 


105c8C 


R3, #4 

R3, [R11,#cbData] 

R3, R11, #-cbData 

R3, [SP,#0x66C+cchWideChar] ; lpcbData 
R3, R11, #-Data 

R3, [SP,#0x66C+lpWideCharStr] ; lpData 
R3, #0 ; lpType 

R2, #0 ; lpReserved 

R1, -aPort ; "Port" 

RO. : hKev 


| 
e 
u 


= = 
OHLI'OOGOQO 


яя 


жы м 
= = 
A A 4 
POR: 
ü 


[R1 
irn tee o P NR 
R3, 40x38 ; 8 
[811,#уаг 40] 
ГАЛ] 
R11, #lpvThreadParam] 
#0x38 5 


ниш 


y 


O WIN 


я 0) 


#5 
[R11,#1pvThreadParam] 
3, # . `8” 


M oM 
[а ~ 
"SURE 


( 
~ 


~ 


3 y 


0, [R3 


[R11,#var_ 20] 


/ 


[R11,fvar 20] 


` 


~ 


- uu 
O „о 


о ~ 


0090 0087-send-socket 


Signed Int le. dec 


0090 0099-recv-socket 


Signed Int 


Signed Int le, dec 
O bytes out of 36 bytes 


0020-send-socket- 


le, dec 


44 bytes out of 44 bytes 


0062-send-socket ЩИ 


le, dec 


72 bytes out of 72 bytes 


Can we replay? 


Cash Dispenser - Dispense Struct 


typedef struct wfs cdm dispense 


{ 


USHORT usTellerID; 
USHORT usMixNumber; 
WORD fwPosition; 
BOOL bPresent; 


LPWFSCDMDENOMINATION  lpDenomination; 
} WFSCDMDISPENSE, *LPWFSCDMDISPENSE; 


Cash Dispenser - Dispense Struct 


fs 


typedef str 
{ 


ispense 


USHORT usTellerID; 

USHORT usMixNumber; 

WORD fwPosition; 

BOOL bPresent; 

LPWFSCDM lpDenomination; 
} WFSCDMDIS MDISPENSE; 


argparse argparse 
ctypes 
xfs 
xfs 
HeXFS 
HeXFS * 


parser = argpar 

parser.add_argur parser = агдрагѕе.Аго arser 
parser.add argument( 

args = parser.parse args() 


args = parser.parse г 


servicel 
xfs_mod 


( 


ite value: 


idx = 


eee В dumps2 — Edited 
DUMPING ./0031-send-socket- өөө 
DUMPING 
CMDCODE: 0x00000326 806 
DATA: | 00 | 04| 
DUMPING ./0033-send-socket- 
CMDCODE: 
DATA: | 


CMDCODE: 0x00000321 801 
DATA: | 
00000000 00000000 0000 
00000002 00000000 0000 
00000000 00000000 0000 
00000000 00000000 0000 
00000000 00000001 00000000 00000000 
AAAAAAAA AAAAAAAA QQQ0Q00000 AAAAAAADA 


№ dumps2 — Edited 


./0027-send-socket- 


0x000000CF 207 


00| 04 | 08 | oC | 


00000034 0000000C 00000000 00000002 

00000018 0000001C 00000000 35353535 

35353535 35353535 35353535 3130323D 

31303131 00010001 00000000 00000000 
0000 


4... ва 
... аа зава 5555 
5555 5555 5555 <201 
1101 .... .. к 


eee В dumps2 — Edited 


DUMPING ./0031-send-socket- өөө 


DUMPING ./0027-send-socket- 


В dumps2 — Edited 


CMDCODE: 0x00000326 806 


DATA: | 00| 04| 


DUMPING ./0033-send-socket- 


CMDCODE: 0х000000СЕ 207 
00| 04| 08| ос| 
00000034 0000000C 00000000 00000002 АОРТИ 
CMDCODE: 0x00000321 801 00000018 0000001C 00000000 35353535 sate gee areca 5555 
DATA: | Ое о 35353535 35353535 35353535 3130323D ВБ 5555555520 
en 31303131 00010001 00000000 00000000 ate E: 


00000000 00000000 0000 

00000000 00000000 0000 0000 
00000000 00000001 000000 

AAAAAAAA AAAAAAAA йййййййй йййййййй 


[BRK k k k k k k k k k k k k k k k k k k ЖКХ k k k k k k k k ЖКХ k k k k k k k k K K ke R K R K 


ж x 
* xfsidc.h XFS - Identification card unit (IDC) definitions * 
* * 
* Version 3.30 (March 19 2015) * 
Je * 
ck kk Ck 2 2.2 2 2 2 2.2 2 2 22 2. 2 2 2 2 2 2 2 2 22 2 2 2 2 ЖКХ SÁ 


#ifndef _ INC XFSIDC H 
#define _ INC XFSIDC H 


#ifdef _ cplusplus 
extern "C" { 
#endif 


#include <xfsapi.h> 


/* be aware of alignment */ 
#pragma pack (push, 1) 


/* values of WFSIDCCAPS.wClass */ 


#define WFS SERVICE CLASS IDC 


° LJ 
#define WFS SERVICE CLASS "VERSION IDC (0х1Е03) /* Version 3.30 */ 


#define IDC SERVICE OFFSET (WFS SERVICE CLASS IDC * 100) 


[RRR k k k k k k k k k k k k k k k k k k k k k k k k k k Kk k k ЖКХ k k k k k k k k K A e ke K K 


ж x 
* xfsidc.h XFS - Identification card unit (IDC) definitions * 
* * 
* Version 3.30 (March 19 2015) * 
Je * 
ck kk Ck Ck 2.2 2 2 2 2.2 22 22 2. 2 2 2 2 2 2 2 2 22 2 2 2 2 2 22 SÁ 


#ifndef _ INC XFSIDC H 
#define _ INC XFSIDC H 


#ifdef _ cplusplus 207 


extern "C" { 
#endif 


tinclude <xfsapi.h> 


/* be aware of alignment */ 
#pragma pack (push, 1) 


/* values of WFSIDCCAPS.wClass */ 


#define WFS SERVICE CLASS IDC (2) 
#define WFS SERVICE CLASS МАМЕ IDC «Trpo 
#define WFS SERVICE CLASS VERSION IDC (0x1E03) /* Version 3.30 */ 


#define IDC SERVICE OFFSET (WFS SERVICE CLASS IDC * 100) 


eee В dumps2 — Edited 


DUMPING ./0031-send-socket- өөө 


DUMPING ./0027-send-socket- 


В dumps2 — Edited 


CMDCODE: 0x00000326 806 


DATA: | 00| 04| 


DUMPING ./0033-send-socket- 


IDC 


сеше eco zu] WES СМО READ RAW DATA 


00 | 04 | 08 | 0с| 
00000034 0000000C 00000000 00000002 МЕЗ aes, Sea ee 
CMDCODE: 0x00000321 801 00000018 0000001C 00000000 35353535 sate алата 5555 
DATA: | Ое о 35353535 35353535 35353535 3130323D ББ55 ББ55 lada 201 
en 31303131 00010001 00000000 00000000 ТОТ 


00000000 00000000 0000 

00000000 00000000 0000 0000 
00000000 00000001 000000 

AAAAAAAA AAAAAAAA йййййййй йййййййй 


S (HERECOMESTHEMONEY) 
message) .decode("ascii")) 
| message) .decode("ascii")) 


0x2E010000, 


binascii.hexlify(response_size).decode('ascii')) 
binascii.hexlify(response_data).decode('ascii')) 


time.sleep(4) 


S (HERECOMESTHEMONEY) 
message) .decode("as: )) 
| message) .decode( )) 


0x2E010000, 


inascii.hexlify(response_size).decode( ')) 
inascii.hexlify(response data).decode( )) 


time.sleep(4) 


#define WFS CMD CDM DISPENSE (CDM SERVICE OFFSET + 2) 


Can we run any XFS 
command? 


Oh yes we can 


Protip 


Protip 


If you re using [CP sockets for IPC 
don't listen on 0.0.0.0 


Protip 


If you re using [CP sockets for IPC 
don't listen on 0.0.0.0 


And do a port scan before you ship a device 


XFS Vulnerability Demo 


555 


Thanks! 


